CVE-2019-25383

Name of the Vulnerable Software and Affected Versions Smoothwall Express version 3.1-SP4-polar-x86 64-update9

Description The software contains multiple reflected cross-site scripting issues within the apcupsd.cgi script. Attackers can inject malicious scripts by submitting crafted POST requests containing script payloads in several parameters. These parameters include BATTLEVEL, RTMIN, BATTDELAY, TO, ANNOY, UPSIP, UPSNAME, UPSPORT, POLLTIME, UPSUSER, NISPORT, UPSAUTH, EMAIL, FROM, CC, SMSEMAIL, SMTPSERVER, PORT, USER, and EMAIL PASSWORD. Successful exploitation allows attackers to execute arbitrary JavaScript in the browsers of affected users.

Recommendations Smoothwall Express version 3.1-SP4-polar-x86 64-update9: Sanitize all input received through the POST parameters BATTLEVEL, RTMIN, BATTDELAY, TO, ANNOY, UPSIP, UPSNAME, UPSPORT, POLLTIME, UPSUSER, NISPORT, UPSAUTH, EMAIL, FROM, CC, SMSEMAIL, SMTPSERVER, PORT, USER, and EMAIL PASSWORD in the apcupsd.cgi script to prevent the injection of malicious scripts.